Merge branch 'release-1.12' into release-1-12-6-chart-3-2-8

realshuting · Nov 5, 2024 · 698cbef · 698cbef
2 parents 3e501ef + 4e3bde5
commit 698cbef
Show file tree

Hide file tree

Showing 15 changed files with 651 additions and 97 deletions.
diff --git a/.github/workflows/load-testing.yml b/.github/workflows/load-testing.yml
diff --git a/Makefile b/Makefile
@@ -27,6 +27,7 @@ REPO_CLEANUP         := $(REGISTRY)/$(REPO)/$(CLEANUP_IMAGE)
 REPO_REPORTS         := $(REGISTRY)/$(REPO)/$(REPORTS_IMAGE)
 REPO_BACKGROUND      := $(REGISTRY)/$(REPO)/$(BACKGROUND_IMAGE)
 USE_CONFIG           ?= standard
+INSTALL_VERSION	     ?= 3.2.6
 
 #########
 # TOOLS #
@@ -997,7 +998,17 @@ kind-install-kyverno: $(HELM) ## Install kyverno helm chart
 		--set crds.migration.image.registry=$(LOCAL_REGISTRY) \
 		--set crds.migration.image.repository=$(LOCAL_CLI_REPO) \
 		--set crds.migration.image.tag=$(GIT_SHA) \
-		$(foreach CONFIG,$(subst $(COMMA), ,$(USE_CONFIG)),--values ./scripts/config/$(CONFIG)/kyverno.yaml)
+		$(foreach CONFIG,$(subst $(COMMA), ,$(USE_CONFIG)),--values ./scripts/config/$(CONFIG)/kyverno.yaml) \
+		$(EXPLICIT_INSTALL_SETTINGS)
+
+.PHONY: kind-install-kyverno-from-repo
+kind-install-kyverno-from-repo: $(HELM) ## Install Kyverno Helm Chart from the Kyverno repo
+	@echo Install kyverno chart... >&2
+	@$(HELM) upgrade --install kyverno --namespace kyverno --create-namespace --wait \
+		--repo https://kyverno.github.io/kyverno/ kyverno \
+		--version $(INSTALL_VERSION) \
+		$(foreach CONFIG,$(subst $(COMMA), ,$(USE_CONFIG)),--values ./scripts/config/$(CONFIG)/kyverno.yaml) \
+		$(EXPLICIT_INSTALL_SETTINGS)
 
 .PHONY: kind-install-goldilocks
 kind-install-goldilocks: $(HELM) ## Install goldilocks helm chart
@@ -1029,6 +1040,10 @@ kind-deploy-reporter: $(HELM) ## Deploy policy-reporter helm chart
 		--values ./scripts/config/standard/kyverno-reporter.yaml
 	@kubectl port-forward -n policy-reporter services/policy-reporter-ui  8082:8080
 
+.PHONY: kind-admission-controller-image-name
+kind-admission-controller-image-name: ## Print admission controller image name
+	@echo -n $(LOCAL_REGISTRY)/$(LOCAL_KYVERNO_REPO):$(GIT_SHA)
+
 ###########
 # ROLLOUT #
 ###########

diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml
@@ -34,9 +34,7 @@ annotations:
   # valid kinds are: added, changed, deprecated, removed, fixed and security
   artifacthub.io/changes: |
     - kind: added
-      description: Add a key to preserve configmap settings during upgrade
-    - kind: added
-      description: Make admission reports breaker threshold configurable
+      description: Added customLabels to the pods label metadata of the cronjobs
 dependencies:
   - name: grafana
     version: 3.2.8

diff --git a/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml b/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml
@@ -20,10 +20,11 @@ spec:
           annotations:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.cleanupJobs.admissionReports.podLabels }}
           labels:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
+            {{- include "kyverno.cleanup.labels" . | nindent 12 }}
+            {{- with .Values.cleanupJobs.admissionReports.podLabels }}
+            {{- tpl (toYaml .) $ | nindent 12 }}
+            {{- end }}
         spec:
           serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
           {{- with .Values.cleanupJobs.admissionReports.podSecurityContext }}

diff --git a/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml b/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml
@@ -20,10 +20,11 @@ spec:
           annotations:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.cleanupJobs.clusterAdmissionReports.podLabels }}
           labels:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
+            {{- include "kyverno.cleanup.labels" . | nindent 12 }}
+            {{- with .Values.cleanupJobs.clusterAdmissionReports.podLabels }}
+            {{- tpl (toYaml .) $ | nindent 12 }}
+            {{- end }}
         spec:
           serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
           {{- with .Values.cleanupJobs.clusterAdmissionReports.podSecurityContext }}

diff --git a/charts/kyverno/templates/cleanup/cleanup-cluster-ephemeral-reports.yaml b/charts/kyverno/templates/cleanup/cleanup-cluster-ephemeral-reports.yaml
@@ -23,10 +23,11 @@ spec:
           annotations:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.cleanupJobs.clusterEphemeralReports.podLabels }}
           labels:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
+            {{- include "kyverno.cleanup.labels" . | nindent 12 }}
+            {{- with .Values.cleanupJobs.clusterEphemeralReports.podLabels }}
+            {{- tpl (toYaml .) $ | nindent 12 }}
+            {{- end }}
         spec:
           serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
           {{- with .Values.cleanupJobs.clusterEphemeralReports.podSecurityContext }}

diff --git a/charts/kyverno/templates/cleanup/cleanup-ephemeral-reports.yaml b/charts/kyverno/templates/cleanup/cleanup-ephemeral-reports.yaml
@@ -23,10 +23,11 @@ spec:
           annotations:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.cleanupJobs.ephemeralReports.podLabels }}
           labels:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
+            {{- include "kyverno.cleanup.labels" . | nindent 12 }}
+            {{- with .Values.cleanupJobs.ephemeralReports.podLabels }}
+            {{- tpl (toYaml .) $ | nindent 12 }}
+            {{- end }}
         spec:
           serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
           {{- with .Values.cleanupJobs.ephemeralReports.podSecurityContext }}

diff --git a/charts/kyverno/templates/cleanup/cleanup-update-requests.yaml b/charts/kyverno/templates/cleanup/cleanup-update-requests.yaml
@@ -23,10 +23,11 @@ spec:
           annotations:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.cleanupJobs.updateRequests.podLabels }}
           labels:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
+            {{- include "kyverno.cleanup.labels" . | nindent 12 }}
+            {{- with .Values.cleanupJobs.updateRequests.podLabels }}
+            {{- tpl (toYaml .) $ | nindent 12 }}
+            {{- end }}
         spec:
           serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
           {{- with .Values.cleanupJobs.updateRequests.podSecurityContext }}

diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
@@ -49410,6 +49410,11 @@ spec:
       backoffLimit: 3
       template:
         metadata:
+          labels:
+            app.kubernetes.io/component: cleanup
+            app.kubernetes.io/instance: kyverno
+            app.kubernetes.io/part-of: kyverno
+            app.kubernetes.io/version: latest
         spec:
           serviceAccountName: kyverno-cleanup-jobs
           containers:
@@ -49460,6 +49465,11 @@ spec:
       backoffLimit: 3
       template:
         metadata:
+          labels:
+            app.kubernetes.io/component: cleanup
+            app.kubernetes.io/instance: kyverno
+            app.kubernetes.io/part-of: kyverno
+            app.kubernetes.io/version: latest
         spec:
           serviceAccountName: kyverno-cleanup-jobs
           containers:
@@ -49510,6 +49520,11 @@ spec:
       backoffLimit: 3
       template:
         metadata:
+          labels:
+            app.kubernetes.io/component: cleanup
+            app.kubernetes.io/instance: kyverno
+            app.kubernetes.io/part-of: kyverno
+            app.kubernetes.io/version: latest
         spec:
           serviceAccountName: kyverno-cleanup-jobs
           containers:
@@ -49560,6 +49575,11 @@ spec:
       backoffLimit: 3
       template:
         metadata:
+          labels:
+            app.kubernetes.io/component: cleanup
+            app.kubernetes.io/instance: kyverno
+            app.kubernetes.io/part-of: kyverno
+            app.kubernetes.io/version: latest
         spec:
           serviceAccountName: kyverno-cleanup-jobs
           containers:

diff --git a/scripts/config/standard-with-profiling/kyverno.yaml b/scripts/config/standard-with-profiling/kyverno.yaml
@@ -0,0 +1,67 @@
+features:
+  policyExceptions:
+    enabled: true
+  omitEvents:
+    eventTypes: []
+
+admissionController:
+  extraArgs:
+    v: 4
+  rbac:
+    clusterRole:
+      extraResources:
+        - apiGroups:
+            - "*"
+          resources:
+            - secrets
+          verbs:
+            - create
+            - update
+            - patch
+            - delete
+            - get
+            - list
+  profiling:
+    enabled: true
+    serviceType: NodePort
+    nodePort: 30950
+
+backgroundController:
+  extraArgs:
+    v: 4
+  rbac:
+    clusterRole:
+      extraResources:
+        - apiGroups:
+            - "*"
+          resources:
+            - configmaps
+            - networkpolicies
+            - resourcequotas
+            - secrets
+            - roles
+            - rolebindings
+            - limitranges
+            - namespaces
+            - nodes
+            - nodes/status
+            - pods
+          verbs:
+            - create
+            - update
+            - patch
+            - delete
+            - get
+            - list
+
+cleanupController:
+  rbac:
+    clusterRole:
+      extraResources:
+        - apiGroups:
+            - ""
+          resources:
+            - pods
+          verbs:
+            - list
+            - delete
diff --git a/scripts/config/stress-with-profiling/kyverno.yaml b/scripts/config/stress-with-profiling/kyverno.yaml
diff --git a/test/load/k6/pull_request-matrix.json b/test/load/k6/pull_request-matrix.json
@@ -0,0 +1,79 @@
+[
+  {
+    "name": "kyverno-pss",
+    "scenario": "",
+    "replicas": 1,
+    "cpu_request": "100m",
+    "memory_request": "128Mi",
+    "memory_limit": "384Mi",
+    "concurrent_connections": 10,
+    "total_iterations": 1000,
+    "extra_options": "--no-teardown"
+  },
+  {
+    "name": "kyverno-pss",
+    "scenario": "",
+    "replicas": 1,
+    "cpu_request": "100m",
+    "memory_request": "128Mi",
+    "memory_limit": "384Mi",
+    "concurrent_connections": 20,
+    "total_iterations": 5000,
+    "extra_options": "--no-teardown"
+  },
+  {
+    "name": "kyverno-pss",
+    "scenario": "",
+    "replicas": 1,
+    "cpu_request": "100m",
+    "memory_request": "128Mi",
+    "memory_limit": "384Mi",
+    "concurrent_connections": 50,
+    "total_iterations": 10000,
+    "extra_options": "--no-teardown"
+  },
+  {
+    "name": "kyverno-pss",
+    "scenario": "",
+    "replicas": 3,
+    "cpu_request": "100m",
+    "memory_request": "128Mi",
+    "memory_limit": "384Mi",
+    "concurrent_connections": 10,
+    "total_iterations": 1000,
+    "extra_options": "--no-teardown"
+  },
+  {
+    "name": "kyverno-pss",
+    "scenario": "",
+    "replicas": 3,
+    "cpu_request": "100m",
+    "memory_request": "128Mi",
+    "memory_limit": "384Mi",
+    "concurrent_connections": 20,
+    "total_iterations": 5000,
+    "extra_options": "--no-teardown"
+  },
+  {
+    "name": "kyverno-pss",
+    "scenario": "",
+    "replicas": 3,
+    "cpu_request": "100m",
+    "memory_request": "128Mi",
+    "memory_limit": "384Mi",
+    "concurrent_connections": 50,
+    "total_iterations": 10000,
+    "extra_options": "--no-teardown"
+  },
+  {
+    "name": "kyverno-generate",
+    "scenario": "",
+    "replicas": 1,
+    "cpu_request": "100m",
+    "memory_request": "128Mi",
+    "memory_limit": "384Mi",
+    "concurrent_connections": 10,
+    "total_iterations": 1000,
+    "extra_options": ""
+  }
+]